- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Shared Android device quickstart
Normally, Android devices only support one user account, and don't provide a sign-in system. However, there are many cases in an enterprise's activities where a device would be more fit for purpose if it could support multiple identities, such as an on-premises device that's transferred to a different employee during each work shift, a freely-accessible device in a common room, or a shared device for visitors and guests.
Knox Manage allows you to enroll Android devices in a special shared mode, which supports the authentication of multiple assigned users through the sign-in screen on the Knox Manage agent. You can configure a shared device so that when a user signs in, it applies settings and a profile that is either generic or unique to that user, allowing varying levels of user access and permissions depending on the user's role and needs.
To better isolate data between user accounts on the device, there are two types of shared device:
| Shared device type | Purpose |
|---|---|
| Temporary | For guests and visitors. Data and installed apps on the device are deleted when the device user signs out, meaning no locally stored information is shared between users or between sessions. |
| Persistent | For shift workers. Data and installed apps on the device are retained when the device user signs out, meaning locally stored information is shared between users and between sessions. |
Supported devices
The following devices can be enrolled in shared mode:
- Samsung Galaxy Tab devices running Android 9 or higher
- Non-Samsung devices running Android 9 or higher
Set up a shared Android device
The process to set up a shared device has the following stages:
Register a staging user
Since Android can't operate without at least one active user, shared devices require a staging user between regular user sessions. The staging user is an account with a supervisory scope that carries the basic device configuration and settings, and hosts a base session in the operating system that provides the sign-in screen to device users.
When a device is being prepared to enter shared mode, it must be provisioned with the staging user.
To create a staging user:
- Go to User, then click Add.
- Fill in the basic and required user account information. For more detailed instructions, see Register a single user.
- Set Staging user to Yes.
- Make sure Using Type is set to Shared Device.
- Set Shared device type to Temporary or Persistent according to your deployment needs.
- Click Save and confirm.
Configure the staging user settings
Next, configure the device settings for the staging user that apply between regular user sessions. You can configure generic settings that apply to all staging users in your tenant, or create more specific configurations that only apply to select staging users. If you configure both, a specific configuration overrides the generic settings.
To configure the staging user settings:
- Go to Setting > Configuration > Staging Device
- Next, choose whether you want the configuration to be generic to all staging users on the Default tab, or click
to add a unique configuration for your shared device. -
As needed, set Utilities Setting to Allow and select which Android features to enable for the staging user:
- Power
- System Status Bar
- Notification Bar
- Key Guard
-
As needed, under Device Setting, select the items that the staging user can access in the Settings app on the device:
- Wi-Fi
- Bluetooth
- NFC
- Mobile Data
- Mobile Networks
- Hotspot
- Location
- As needed, turn on Wi-Fi and preconfigure an access point that the device can connect to during staging user sessions.
- If you're creating a configuration that's specific to the staging user, click Select Staging User and select the staging user from the list.
- Click Save & Apply to finish configuring the staging user settings.
Enroll the device
Lastly, after configuring the staging user and its settings, you must enroll the device and activate shared mode:
- Go to User, then take note of the staging user's ID.
-
Then, enroll the device with the staging user through one of these methods:
Regardless of the method you choose, make sure you enter the staging user ID, or the device won't enroll in shared mode.
-
After enrollment, go to Device, then search for and find the device. If it successfully enrolled as a shared device, its value in the Platform & Management Type column is Shared followed by the type (Temporary or Persistent).
Device user sign-in
When the shared device is enrolled and deployed to the field, it displays the sign-in screen when no user session is active. A user starts a session by signing in with their Knox Manage account credentials.
When the device user has finished their activities, they can end their session by tapping Check Out in the persistent Knox Knox notification.
If it's a temporary shared device, the app and user data on the device is erased.
Policies and device commands for shared devices
Shared devices can receive device commands and policies that are compatible with work profiles. Policies designed for fully managed mode won't take effect.
Exit shared mode
In case of emergencies or issues with the shared device mode, the device user can run the Exit Shared Device Mode action on the device to exit shared mode. Once they submit the action, the device user enters a passcode issued to them by an admin.
Use Knox Remote Support
You can perform a remote support session on a shared device with Knox Remote Support, provided the Knox Remote Support agent is first installed on the device.
In order for the agent to be functional and accessible, it must be:
- Installed to the personal or primary profile of the device.
- Accessed during a staging user session, not a temporary or persistent user session.
To install the Knox Remote Support agent on a shared device, the staging user must:
- Open the Knox Manage agent, then select Service Desk on the sign-in screen or in the navigation bar.
- Select Download Remote Support app. The Knox Remote Support agent downloads and installs.
Once installed, the agent launches and shows a remote support access code, indicating that it's ready for a remote session.
